CVE-2017-3546

MEDIUM

Oracle PeopleSoft Products - Unauth Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-3546. PoCs published by ERPScan.

AI-analyzed exploit summary This is a detailed advisory for CVE-2017-3546, an SSRF vulnerability in Oracle PeopleSoft IMServlet. It includes technical descriptions, affected versions, and a proof-of-concept (PoC) demonstrating how an attacker can force the server to make malicious requests to internal or external resources.

Description

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: MultiChannel Framework). Supported versions that are affected are 8.54 and 8.55. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.0 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).

Exploits (1)

exploitdb WRITEUP

by ERPScan · textwebappsjava

https://www.exploit-db.com/exploits/42034

View Code ZIP pw:eip

This is a detailed advisory for CVE-2017-3546, an SSRF vulnerability in Oracle PeopleSoft IMServlet. It includes technical descriptions, affected versions, and a proof-of-concept (PoC) demonstrating how an attacker can force the server to make malicious requests to internal or external resources.

Classification

Writeup 90%

Attack Type

Ssrf

Complexity

Moderate

Reliability

Reliable

Target: Oracle PeopleSoft (ToolsRelease: 8.55.03; ToolsReleaseDB: 8.55; PeopleSoft HCM 9.2)

No auth needed

Prerequisites: Network access to the vulnerable PeopleSoft server

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Third Party Advisory x_refsource_misc

https://erpscan.io/advisories/erpscan-17-022-ssrf-peoplesoft-imservlet/

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/97872

Patch, Vendor Advisory x_refsource_confirm

http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1038301

Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/42034/

Scores

CVSS v3 6.5

EPSS 0.0964

EPSS Percentile 94.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (4)

oracle/peoplesoft_enterprise_peopletools 8.54

oracle/peoplesoft_enterprise_peopletools 8.55

Oracle Corporation/PeopleSoft Enterprise PT PeopleTools 8.54

Oracle Corporation/PeopleSoft Enterprise PT PeopleTools 8.55

Published Apr 24, 2017

Tracked Since Feb 18, 2026